SYMBOLCOMMON_NAMEaka. SYNONYMS
win.feed_load (Back to overview)

FeedLoad

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2023-10-18MicrosoftMicrosoft Threat Intelligence
Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
FeedLoad ForestTiger HazyLoad RollSling Silent Chollima
Yara Rules
[TLP:WHITE] win_feed_load_auto (20260504 | Detects win.feed_load.)
rule win_feed_load_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.feed_load."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.feed_load"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b942480000000 448d4718 448902 488bcd ff15???????? }
            // n = 5, score = 100
            //   488b942480000000     | cmp                 ebp, dword ptr [edi]
            //   448d4718             | dec                 ebp
            //   448902               | mov                 eax, dword ptr [edi + 0x238]
            //   488bcd               | dec                 esp
            //   ff15????????         |                     

        $sequence_1 = { e8???????? 448b8f60100000 4c8d0589690200 bb04010000 488d8d30010000 8bd3 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   448b8f60100000       | inc                 ecx
            //   4c8d0589690200       | pop                 esi
            //   bb04010000           | pop                 edi
            //   488d8d30010000       | ret                 
            //   8bd3                 | dec                 eax

        $sequence_2 = { 483b8c2488000000 0f8262020000 4883fa08 7226 488b01 498d52e0 }
            // n = 6, score = 100
            //   483b8c2488000000     | cmp                 esi, 0xf
            //   0f8262020000         | jb                  0xfc7
            //   4883fa08             | mov                 byte ptr [edi], 0xf0
            //   7226                 | dec                 ecx
            //   488b01               | lea                 esi, [esi - 0xf]
            //   498d52e0             | dec                 eax

        $sequence_3 = { 85c8 75d6 418bcc 48897c2430 412bcf 41ba81808080 }
            // n = 6, score = 100
            //   85c8                 | dec                 ecx
            //   75d6                 | add                 edx, eax
            //   418bcc               | dec                 esp
            //   48897c2430           | lea                 eax, [0xffff48bd]
            //   412bcf               | dec                 eax
            //   41ba81808080         | mov                 dword ptr [ecx + 8], edx

        $sequence_4 = { 4c2bc5 4c8bce 4c2bcb 488bd5 488bcb 498d0410 4885c0 }
            // n = 7, score = 100
            //   4c2bc5               | dec                 esp
            //   4c8bce               | lea                 eax, [0xffff52c9]
            //   4c2bcb               | dec                 ecx
            //   488bd5               | mov                 edx, dword ptr [edi + 8]
            //   488bcb               | movzx               ecx, byte ptr [edx]
            //   498d0410             | and                 ecx, 0xf
            //   4885c0               | dec                 edx

        $sequence_5 = { ff8170040000 83b97004000002 0f84fa010000 4c8d35263b0100 bd20000000 897350 89732c }
            // n = 7, score = 100
            //   ff8170040000         | je                  0x158
            //   83b97004000002       | dec                 eax
            //   0f84fa010000         | mov                 dword ptr [edi + 0x10], eax
            //   4c8d35263b0100       | dec                 eax
            //   bd20000000           | test                eax, eax
            //   897350               | je                  0x1ad
            //   89732c               | cmp                 dword ptr [ebp - 0x7c], 4

        $sequence_6 = { c744242803000000 4889742420 ff15???????? 48894710 4885c0 0f84ce000000 }
            // n = 6, score = 100
            //   c744242803000000     | mov                 eax, ecx
            //   4889742420           | dec                 ecx
            //   ff15????????         |                     
            //   48894710             | add                 edi, 4
            //   4885c0               | dec                 esp
            //   0f84ce000000         | add                 edi, eax

        $sequence_7 = { 4885d2 746c 4585c0 7467 83600800 33db 83602000 }
            // n = 7, score = 100
            //   4885d2               | inc                 ecx
            //   746c                 | mov                 al, dh
            //   4585c0               | shl                 al, 4
            //   7467                 | mov                 byte ptr [edi], al
            //   83600800             | dec                 eax
            //   33db                 | mov                 ecx, edi
            //   83602000             | dec                 eax

        $sequence_8 = { 418b8630020000 89442438 488d8580070000 4889442430 488d8578050000 4889442428 }
            // n = 6, score = 100
            //   418b8630020000       | add                 esp, 0x20
            //   89442438             | pop                 ebx
            //   488d8580070000       | dec                 eax
            //   4889442430           | lea                 eax, [0x989c]
            //   488d8578050000       | dec                 eax
            //   4889442428           | cmp                 ecx, eax

        $sequence_9 = { 488d542430 ff15???????? 393b 7424 48217c2420 488d151cec0200 4c8b05???????? }
            // n = 7, score = 100
            //   488d542430           | dec                 eax
            //   ff15????????         |                     
            //   393b                 | cmp                 edi, ecx
            //   7424                 | jb                  0x643
            //   48217c2420           | dec                 eax
            //   488d151cec0200       | mov                 ebx, dword ptr [esp + 0x38]
            //   4c8b05????????       |                     

    condition:
        7 of them and filesize < 512000
}
Download all Yara Rules